-
Notifications
You must be signed in to change notification settings - Fork 694
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
There are several CVEs targeting the CUPS software, some of them for various subpackages such as cups-browsed, or libppd. These subpackages often borrow lots of code from the mainline CUPS package, causing CVEs to be theoretically applicable in both places. These CVEs can be combined and exploited for remote command execution as described in https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/ These CVEs for CUPS and various CUPS related packages include: - CVE-2024-47176 - CVE-2024-47076 - CVE-2024-47175 - CVE-2024-47177 While Photon is *NOT* at risk of this particular exploit chain, because we don't have the cups-browsed service, CVEs such as CVE-2024-47175 which applies to libppd also affects the same code in mainline CUPS and should be patched. There are 5 commits needed to remediate this exploit in mainline CUPS, as described in https://www.openwall.com/lists/oss-security/2024/09/27/3 Update to the latest subversion 2.4.11 in order to consume these fixes. Change-Id: Ieff8b832dfeb1004c1dcd3b7dd93b0c834a88ffd Reviewed-on: http://photon-gerrit.lvn.broadcom.net/c/photon/+/24932 Reviewed-by: Harinadh Dommaraju <[email protected]> Reviewed-by: Shreenidhi Shedi <[email protected]> Tested-by: gerrit-photon <[email protected]>
- Loading branch information
1 parent
af3c100
commit d007e98
Showing
4 changed files
with
15 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,15 +1,15 @@ | ||
| Summary: The Common UNIX Printing System | ||
| Name: cups | ||
| Version: 2.4.7 | ||
| Release: 4%{?dist} | ||
| Version: 2.4.11 | ||
| Release: 1%{?dist} | ||
| License: LGPLv2+ | ||
| URL: https://openprinting.github.io/cups | ||
| Group: System Environment/Libraries | ||
| Vendor: VMware, Inc. | ||
| Distribution: Photon | ||
|
|
||
| Source0: https://github.com/OpenPrinting/cups/releases/download/v%{version}/cups-%{version}.tar.gz | ||
| %define sha512 %{name}=27ca505a2868aa7bc248bac892aafe2a837633e73b6059d3ab4812264e3b0e786ef075751e8cc4300ce6bc43ef095e3d77dd3fce88ce8e72ca69b65093427bca | ||
| Source0: https://github.com/OpenPrinting/cups/releases/download/v%{version}/cups-%{version}-source.tar.gz | ||
| %define sha512 %{name}=5868f069cb5eaa5c74e703ed7773914376fb819ebabd7881df8726092eab390c8a1db75c4d08377a836a87807765ad2c16a15b406ab0580fdda2b176e2da3162 | ||
|
|
||
| BuildRequires: automake | ||
| BuildRequires: dbus-devel | ||
|
|
@@ -91,6 +91,8 @@ rm -rf %{buildroot}/* | |
| %{_libdir}/pkgconfig/cups.pc | ||
|
|
||
| %changelog | ||
| * Tue Dec 10 2024 Brennan Lamoreaux <[email protected]> 2.4.11-1 | ||
| - Update to latest version | ||
| * Wed Feb 07 2024 Shreenidhi Shedi <[email protected]> 2.4.7-4 | ||
| - Bump version as a part of dbus upgrade | ||
| * Fri Nov 24 2023 Shreenidhi Shedi <[email protected]> 2.4.7-3 | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,7 +1,7 @@ | ||
| Summary: GUI library. | ||
| Name: gtk3 | ||
| Version: 3.23.3 | ||
| Release: 9%{?dist} | ||
| Release: 10%{?dist} | ||
| License: LGPLv2+ | ||
| URL: http://www.gtk.org | ||
| Group: System Environment/Libraries | ||
|
|
@@ -160,6 +160,8 @@ rm -rf %{buildroot}/* | |
| %{_sysconfdir}/gtk-3.0/ | ||
|
|
||
| %changelog | ||
| * Mon Dec 16 2024 Brennan Lamoreaux <[email protected]> 3.23.3-10 | ||
| - Bump version as part of cups upgrade | ||
| * Thu Mar 28 2024 Ashwin Dayanand Kamat <[email protected]> 3.23.3-9 | ||
| - Bump version as a part of libxml2 upgrade | ||
| * Tue Feb 20 2024 Ashwin Dayanand Kamat <[email protected]> 3.23.3-8 | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,7 @@ | |
| Summary: OpenJDK | ||
| Name: openjdk11 | ||
| Version: 11.0.20 | ||
| Release: 6%{?dist} | ||
| Release: 7%{?dist} | ||
| License: GNU General Public License V2 | ||
| URL: https://github.com/openjdk/jdk11u | ||
| Group: Development/Tools | ||
|
|
@@ -246,6 +246,8 @@ rm -rf %{buildroot}/* %{_libdir}/jvm/OpenJDK-* | |
| %{_libdir}/jvm/OpenJDK-%{jdk_major_version}/lib/src.zip | ||
|
|
||
| %changelog | ||
| * Mon Dec 16 2024 Brennan Lamoreaux <[email protected]> 11.0.20-7 | ||
| - Version bump as a part of cups upgrade | ||
| * Fri Sep 29 2023 Srish Srinivasan <[email protected]> 11.0.20-6 | ||
| - Version bump as a part of cups upgrade | ||
| * Mon Sep 04 2023 Vamsi Krishna Brahmajosyula <[email protected]> 11.0.20-5 | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -5,7 +5,7 @@ | |
| Summary: OpenJDK | ||
| Name: openjdk17 | ||
| Version: 17.0.8 | ||
| Release: 2%{?dist} | ||
| Release: 3%{?dist} | ||
| License: GNU General Public License V2 | ||
| URL: https://github.com/openjdk/jdk17u | ||
| Group: Development/Tools | ||
|
|
@@ -231,6 +231,8 @@ rm -rf %{buildroot}/* %{_libdir}/jvm/OpenJDK-* | |
| %{_libdir}/jvm/OpenJDK-%{jdk_major_version}/lib/src.zip | ||
|
|
||
| %changelog | ||
| * Mon Dec 16 2024 Brennan Lamoreaux <[email protected]> 17.0.8-3 | ||
| - Version bump as a part of cups upgrade | ||
| * Fri Sep 29 2023 Srish Srinivasan <[email protected]> 17.0.8-2 | ||
| - Version bump as a part of cups upgrade | ||
| * Wed Aug 23 2023 Shreenidhi Shedi <[email protected]> 17.0.8-1 | ||
|
|
||